Security: Servoy can call an uninstalled module

Questions, tips and tricks and techniques for scripting in Servoy

Security: Servoy can call an uninstalled module

Postby Gordon » Tue Nov 15, 2011 1:15 pm

I am not sure if this is a security risk or just an error, but I have a solution that contains two modules ES_Authenticator and ES_Security, plus the main solution. The content for the two modules is broadly based on a test solution I produced where the modules are called GM_Authenticate and GM_Login. These two are not installed as modules in the current solution which has been restarted several times.

When this script is called:

Code: Select all
var branchlist = security.authenticate('GM_authenticate', 'getBranches', [username])


The branchlist variable returns an object and functions as if the modules (GM_Authenticate and GM_Login) were actually included with the solution.

SO my thoughts were is this a security problem where an un installed module can be called by a solution OR is this expected behaviour and should the Authenticator and Login process not actually be included in the main solution as modules ??

Cheers
Gordon
Gordon McLean
Click Digital Media Ltd
SAN Developer
www.clickdigital.com
User avatar
Gordon
 
Posts: 265
Joined: Thu Mar 17, 2005 8:05 pm
Location: UK

Re: Security: Servoy can call an uninstalled module

Postby rgansevles » Tue Nov 22, 2011 11:37 am

Gordon,

The security.authenticate() call uses an authenticator solution that is installed in the server.
The authenticator solution does not have to be a module, in fact in the smart client it can't even be used as a module because authenticator solutions are never sent to the smart client for security reasons.

Basically there is no module-relation between the calling solution and the installed authenticator solution.
The only reasons to include the authenticator as a module is for debugging in developer and for ease of deployment (import).

Rob
Rob Gansevles
Servoy
User avatar
rgansevles
 
Posts: 1899
Joined: Wed Nov 15, 2006 6:17 pm
Location: Amersfoort, NL

Re: Security: Servoy can call an uninstalled module

Postby Gordon » Tue Nov 22, 2011 12:08 pm

Hi Rob

The Servoy provided demo was done using Modules. I based my version on the Servoy example which is a pity because making the change will further delay the solution. Thanks for the reply anyway, as before security is important and I appreciate Servoy are trying hard to make this a top priority.

Gordon
Gordon McLean
Click Digital Media Ltd
SAN Developer
www.clickdigital.com
User avatar
Gordon
 
Posts: 265
Joined: Thu Mar 17, 2005 8:05 pm
Location: UK


Return to Methods

Who is online

Users browsing this forum: No registered users and 2 guests